Restore an Amazon EC2 instance - Amazon Backup
Use the Amazon Backup console to restore Amazon EC2 recovery pointsRestore Amazon EC2 with Amazon CLITroubleshooting
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Restore an Amazon EC2 instance

When you restore an EC2 instance, Amazon Backup creates an Amazon Machine Image (AMI), an instance, the Amazon EBS root volume, Amazon EBS data volumes (if the protected resource had data volumes), and Amazon EBS snapshots. You can customize some instance settings using the Amazon Backup console, or a larger number of settings using the Amazon CLI or an Amazon SDK.

The following considerations apply to restoring EC2 instances:

  • Amazon Backup configures the restored instance to use the same key pair that the protected resource used originally. You can't specify a different key pair for the restored instance during the restore process.

  • Amazon Backup does not back up and restore user-data that is used while launching an Amazon EC2 instance.

  • When configuring the restored instance, you can choose between using the same instance profile that the protected resource used originally or launching without an instance profile. This is to prevent the possibility of privilege escalations. You can update the instance profile for the restored instance using the Amazon EC2 console.

    If you use the original instance profile, you must grant Amazon Backup the following permissions, where the resource ARN is the ARN of the IAM role associated with the instance profile.

    {
      "Effect": "Allow",
      "Action": "iam:PassRole",
      "Resource": "arn:aws-cn:iam::account-id:role/role-name"
},

  • During a restore, all Amazon EC2 quotas and configuration restrictions apply.

  • If the vault containing your Amazon EC2 recovery points has a vault lock, see Additional security considerations for more information.

Use the Amazon Backup console to restore Amazon EC2 recovery points

You can restore an entire Amazon EC2 instance from a single recovery point, including the root volume, data volumes, and some instance configuration settings, such as the instance type and key pair.

To restore Amazon EC2 resources using the Amazon Backup console

  1. Open the Amazon Backup console at https://console.amazonaws.cn/backup.

  2. In the navigation pane, choose Protected resources, then choose the ID of the Amazon EC2 resource to open the resource details page.

  3. In the Recovery points pane, choose the radio button next to the ID of the recovery point to restore. In the upper-right corner of the pane, choose Restore.

  4. In the Network settings pane, we use the settings from the protected instance to select the default values for the instance type, VPC, subnet, security group, and instance IAM role. You can use these default values or change them as needed.

  5. In the Restore role pane, use the Default role or use Choose an IAM role to specify an IAM role that grants Amazon Backup permission to restore the backup.

  6. In the Protected resource tags pane, we select Copy tags from the protected resource to the restored resource by default. If you do not want to copy these tags, clear the check box.

  7. In the Advanced settings pane, accept the default values for the instance settings or change them as needed. For information about these settings, choose Info for the setting to open its help pane.

  8. When you are finishing configuring the instance, choose Restore backup.

Restore Amazon EC2 with Amazon CLI

In the command line interface, start-restore-job allows you to restore with up to 32 parameters (including some parameters that are not customizable through the Amazon Backup console).

The following list is the accepted metadata you can pass to restore an Amazon EC2 recovery point.

InstanceType
KeyName
SubnetId
Architecture
EnaSupport
SecurityGroupIds
IamInstanceProfileName
CpuOptions
InstanceInitiatedShutdownBehavior
HibernationOptions
DisableApiTermination
CreditSpecification
Placement
RootDeviceType
RamdiskId
KernelId
UserData
Monitoring
NetworkInterfaces
ElasticGpuSpecification
CapacityReservationSpecification
InstanceMarketOptions
LicenseSpecifications
EbsOptimized
VirtualizationType
Platform
RequireIMDSv2
BlockDeviceMappings
aws:backup:request-id

Amazon Backup accepts the following information-only attributes. However, including them will not affect the restore:

vpcId

BlockDeviceMappings is an optional parameter you can include. Amazon Backup supports the following BlockDeviceMappings attributes.

Note

SnapshotId and OutpostArn are not supported.

{
  "BlockDeviceMappings": [
    {
        "DeviceName" : string,
        "NoDevice" : string,
        "VirtualName" : string,
        "Ebs": {
            "DeleteOnTermination": boolean,
            "Iops": number,
            "VolumeSize": number,
            "VolumeType": string,
            "Throughput": number,
            "Encrypted": boolean,
            "KmsKeyId": string
        }
    }
 }

For example:

{
  "BlockDeviceMappings": [
    {
      "DeviceName": "/def/tuvw",
      "Ebs": {
        "DeleteOnTermination": true,
        "Iops": 3000,
        "VolumeSize": 16,
        "VolumeType": "gp3",
        "Throughput": 125,
        "Encrypted": true,
        "KmsKeyId": "arn:aws:kms:us-west-2:123456789012:key/ab3cde45-67f8-9g01-hi2j-3456klmno7p8"
      }
    },
    {
      "DeviceName": "/abc/xyz",
      "Ebs": {
        "DeleteOnTermination": false,
        "Iops": 3000,
        "VolumeSize": 16,
        "VolumeType": "gp3",
        "Throughput": 125,
        "Encrypted": false
      }
    }
  ]
}

You can also restore an Amazon EC2 instance without including any stored parameters. This option is available on the Protected resource tab on the Amazon Backup console.

Important

If you do not override the Amazon KMS key in the BlockDeviceMappings when restoring from cross-account or cross-Region backups, your restore might fail. For more information, see Troubleshoot Amazon EC2 instance restore issues.

Troubleshoot Amazon EC2 instance restore issues

Cross-account restore failures

Description: Amazon EC2 instance restore fails when attempting to restore from a backup that is shared with your account.

Possible issues: Your account might not have access to the Amazon KMS keys used to encrypt the source volumes in the sharing account. The KMS keys might not be shared with your account.

Or, the volumes attached to the source instance are unencrypted.

Solution: To resolve this issue, set the encrypted attribute to true, and do one of the following:

  • Override the KMS keys in the BlockDeviceMappings and specify a KMS key that you own in your account.

  • Request the owning account to grant you access to the KMS keys used to encrypt the volumes by updating the KMS key policy. For more information, see Allow users in other accounts to use a KMS key.

Cross-Region restore failures

Description: Amazon EC2 instance restore fails when attempting to restore from a cross-Region backup.

Issue: The volumes in the backup might be encrypted with single-Region Amazon KMS keys that are not available in the destination Region. Or, the volumes attached to the source instance are unencrypted.

Solution: To resolve this issue, set the encrypted attribute to true, and override the KMS key in the BlockDeviceMappings with a KMS key in the destination Region.